Report a Bug · Request a Feature
- To dampfhamm3r he had the idea for the project and needed a lot of perseverance to work on it.
- To ELLR he supported us and carried out code reviews
- To yogibaer75 he answered many of our questions at the CheckMK conference.
- To thl-cmk who took the time to do a review.
- To sva-mh he contributed the first bugfixes for CheckMK 2.3.
- To bitwiz for helping to improve the special agent.
See GitHub build action, where you can download the latest .mkp file.
- Click on the latest run
- Download the artifact at the bottom of the site
This is the repository for the Fortinet Firewall Special Agent. Due to conflicts with the built-in CheckMK checks, the rules are renamed to FortiOS.
To create an API token for Checkmk, follow these steps:
-
Create an administrator profile:
Go toSystem→Admin Profiles→Create New- Name:
checkmk-readonly - Permissions: Set all to
Read - Permit usage of CLI diagnostic commands:
False
- Name:
-
Create REST API Administrator:
Go toSystem→Administrators→Create New→REST API Administrator- Username:
checkmk - Administrator Profile:
checkmk-readonly(or how you named it) - Virtual Domains: select all VDOMs
- PKI Group:
False - CORS Allow Origin:
False - Trusted Hosts:
True→ enter theIP OF YOUR CHECKMK INSTANCE
- Username:
- Install the plugin via Extensions
- Search for FortiOS special angent and configure a rule
- Confirgure the rule for your needs:
- API Token:
TOKEN YOU CREATED ABOVE - Port: 8443 is default
- SSL certificate checking: it's recommended to trust the certificate via CheckMK and not to deactivate the checks!
- Timeout: you may leave at default value, please increase in case of slow WAN
- API Token:
To have the piggyback data delivered, the DCD must be set up.
Go to Setup → DCD (dynamic configuration daemon)
- Title:
local - SIte:
cmk - Connector type:
Piggyback data - Sync interval:
1min - Create hosts in:
Main - Discovery services during creation:
Selected
To use the inventory, you have to create a rule.
Go to Setup → HW/SW inventory rules → Do hardware/software inventory
Specify the settings to fit your needs.
To monitor switch ports, the following should be noted:
- If the
FortiOS Switch Interface Discoveryrule is not configured, all interfaces will be discovered. - If the rule is configured, a pattern must be specified for the description.
- Currently, the description is visible in the service summary output. This should be changed later.
- Currently, all interface data is output in 'Service Details'. This makes debugging easier.
For the best development experience use VSCode with the Remote Containers extension. This maps your workspace into a checkmk docker container giving you access to the python environment and libraries the installed extension has.
See CONTRIBUTING.md
First, create a password named <forti_api_token> in the CheckMK password store. In older CheckMK versions, you can simply use the API token without the suffix part ":/var...".
To call the special agent manually, please use this command:
/opt/omd/sites/$USER/bin/python3 local/lib/python3/cmk_addons/plugins/fortios/special_agents/agent_fortios.py --api-token <forti_api_token>:var/check_mk/stored_passwords --port 8443 --no-cert-check <HOST_IP>
The following directories in this repo are getting mapped into the Checkmk site.
agents,checkman,checks,doc,inventory,notifications,pnp-templates,webare mapped intolocal/share/check_mk/agent_basedis mapped tolocal/lib/check_mk/base/plugins/agent_basednagios_pluginsis mapped tolocal/lib/nagios/pluginsbakeryis mapped tolocal/lib/check_mk/base/cee/plugins/bakerytempis mapped tolocal/tmpfor storing static agent output
To build the package hit Crtl+Shift+B to execute the build task in VSCode.
pytest can be executed from the terminal or the test ui.
The provided Github Workflows run pytest and ruff in the same checkmk docker container as vscode.